Nearly half of employees have failed to change their password habits while working from home, a study has revealed, in confirming that not even the pandemic-era explosion in cybercrime and online scams has convinced users to take password security seriously.

Fully 92 per cent of 3,750 consumers surveyed in a recent LogMeIn survey said they know that using the same password across many sites is a security risk – yet 65 per cent said they do it anyway.

Password reuse is a major facilitator of cybercriminal compromise, with Verizon’s latest Data Breach Investigations Report (DBIR) flagging an explosion in web application attacks in which cybercriminals obtain dumps of individuals’ passwords from one system and try the same password on other cloud and work services.

Whether it’s using a victim’s Minecraft password to access their employer’s Salesforce customer database, or plugging a user’s Zoom password into their email account, cybercriminals are finding new ways to access confidential company information, install ransomware, and launch convincing business email compromise (BEC) attacks.

Cybercriminals know how people work, and they know that users tend to fall back on what’s comfortable no matter what their IT department says.

Although 79 per cent of the LogMeIn respondents agreed that compromised passwords are a problem, more than half said they rely on remembering passwords – often leaning towards using easily-guessable information, such as birthdays or home addresses, that are often readily available from public-records websites.

And 71 per cent of Australians said they always, or mostly, use the same password variation.

The overlap of work and personal spheres has compounded the problem, with 71 per cent of respondents saying they were working wholly or partly remotely and 70 per cent spending more time online for personal entertainment during the pandemic.

Sheer numbers are an issue, with 90 per cent of respondents admitting they have up to 50 accounts with online services or applications – compounding the potential damage if even one of these accounts has the same credentials as a sensitive business system.

The new figures “showcase the impact of the COVID-19 pandemic amid the increased time we spent online,” said LastPass vice president of product management Dan DeMichele, “which has increased our vulnerability to potential hackers.”

“As we continue to grow our online presence, we need more robust protection for our online information,” he added, advising business and IT executives to push hard for multi-factor authentication or single sign-on alternatives “to ensure that your employees are the only ones accessing their information.”

Do as I say, not as you do

Not only are employees bad at creating and managing passwords – just 32 per cent said they would intentionally create strong passwords for work-related accounts – but 45 per cent weren’t even concerned enough to change their passwords after their company had been hit by a data breach.

Fully 83 per cent of respondents said they wouldn’t even know that their passwords had been published or sold on darkweb sites – information readily available through sites like HaveIBeenPwned and being built into web browsers like Microsoft Edge and Apple Safari.

Whether due to end-user disinterest, COVID-induced brain fog or a genuine lack of understanding about the true extend of cybercriminal activity, cognitive lapses around password and online security are exacting a significant toll on Australians – who, recent figures from ACCC Scamwatch revealed, lost $211m to scammers between 1 January and 19 September alone.

That was up 89 per cent on the same period during the height of the pandemic last year, Scamwatch noted, with losses to phishing scams increasing by 261 per cent and identity-theft scams up 234 per cent.

Despite these very real risks, the report notes, ultimately “cognitive dissonance prevails [and] people pick and choose what information they think is worth protecting…As a result, they knowingly engage in risky password behaviours.”

Some 20 per cent of respondents shared photos of their pets with their pets’ names, then use those same names in their passwords.

Similarly, 27 per cent of respondents shared photos of their house or neighbourhood, while 53 per cent shared vacation photos online – providing a range of valuable clues for cybercriminals that “scrape public profiles and can use seemingly harmless information to hack accounts outside of your social media.”

Users should treat all credentials as vulnerable, the report advises: “You might not think your local gym credentials are worth anything to hackers, but if those credentials are identical or close to your bank account login, a breach at your gym could mean sensitive financial information is exposed, too.”